nixos/libreswan: Use StateDirectory to setup ipsec/nss

The systemd manual `systemd.exec(5)` addresses the partly overlapping
functionality of the `tmpfiles.d(5)` setting and other, more semantic
settings and recommends their use if they fit your needs because these
semantic versions offer more guarantees.

One of those guarantees is that they are guaranteed to be ready by the
time the process starts whereas `tmpfiles.d` can be executed
asynchronously. I believe this is the cause of some issues I ran into
where I had to manually create the `/var/lib/ipsec/nss` directory. This
patch fixed those issues for me.

1 files changed, 4 insertions, 3 deletions

diff --git a/nixos/modules/services/networking/libreswan.nix b/nixos/modules/services/networking/libreswan.nix
index 785729d8f742..637cd5493819 100644
--- a/nixos/modules/services/networking/libreswan.nix
+++ b/nixos/modules/services/networking/libreswan.nix
@@ -133,9 +133,6 @@ in
       "ipsec.d/01-nixos.conf".source = configFile;
     } // policyFiles;
 
-    # Create NSS database directory
-    systemd.tmpfiles.rules = [ "d /var/lib/ipsec/nss 755 root root -" ];
-
     systemd.services.ipsec = {
       description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec";
       wantedBy = [ "multi-user.target" ];
@@ -153,6 +150,10 @@ in
         echo 0 | tee /proc/sys/net/ipv4/conf/*/send_redirects
         echo 0 | tee /proc/sys/net/ipv{4,6}/conf/*/accept_redirects
       '';
+      serviceConfig = {
+        StateDirectory = "ipsec/nss";
+        StateDirectoryMode = 0700;
+      };
     };
 
   };